RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2025-03-29 23:09:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

doc/cephdam: document limiting passwordless sudo commands

Browse Source 
Based on the previous commits making the remote executables auditable
and explicit, document the admin's ability to restrict password-less
sudo access to only the set of commands cephadm actually uses.

Signed-off-by: John Mulligan <jmulligan@redhat.com>
This commit is contained in:
John Mulligan 2024-03-08 13:56:19 -05:00
parent e357d2f99a
commit 18efb3b742
1 changed files with 45 additions and 0 deletions

45
doc/cephadm/operations.rst
View File

@ -658,6 +658,51 @@ For example, to distribute configs to hosts with the ``bare_config`` label, run
(See :ref:`orchestrator-cli-placement-spec` for more information about placement specs.)
Limiting Password-less sudo Access
==================================
By default, the cephadm install guide recommends enabling password-less
``sudo`` for the cephadm user. This option is the most flexible and
future-proof but may not be preferred in all environments. An administrator can
restrict ``sudo`` to only running an exact list of commands without password
access. Note that this list may change between Ceph versions and
administrators choosing this option should read the release notes and review
this list in the destination version of the Ceph documentation. If the list
differs one must extend the list of password-less ``sudo`` commands prior to
upgrade.
Commands requiring password-less sudo support:
- ``chmod``
- ``chown``
- ``ls``
- ``mkdir``
- ``mv``
- ``rm``
- ``sysctl``
- ``touch``
- ``true``
- ``which`` (see note)
- ``/usr/bin/cephadm`` or python executable (see note)
.. note:: Typically cephadm will execute ``which`` to determine what python3
command is available and then use the command returned by ``which`` in
subsequent commands.
Before configuring ``sudo`` run ``which python3`` to determine what
python command to add to the ``sudo`` configuration.
In some rare configurations ``/usr/bin/cephadm`` will be used instead.
Configuring the ``sudoers`` file can be performed using a tool like ``visudo``
and adding or replacing a user configuration line such as the following:
.. code-block::
# assuming the cephadm user is named "ceph"
ceph ALL=(ALL) NOPASSWD:/usr/bin/chmod,/usr/bin/chown,/usr/bin/ls,/usr/bin/mkdir,/usr/bin/mv,/usr/bin/rm,/usr/sbin/sysctl,/usr/bin/touch,/usr/bin/true,/usr/bin/which,/usr/bin/cephadm,/usr/bin/python3
Purging a cluster
=================